Avast WEBforum
Other => Viruses and worms => Topic started by: sasin44 on June 21, 2007, 09:31:53 PM
-
hi
2 days ago i scanned my system with AVG anti-spyware and i found a memory resident totjan named
"downloader.agent.uj"
i took a look at the processes and found that there was no active process running..
after self analysing the HIJACKTHIS log i found some thing really weird...
all i could make out of it was that it was a dll infection ...
it was rpcc.dll in system32 folder
could search its reg entries as
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc
Asynchronous=1
Impersonate=1
and
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc
Startup
Startup
this is my first .dll infection and i dont know how to go about deleting this one cont...
-
i scanned it with virus total and here is wat i got...
Complete scanning result of "rpcc.dll"
Antivirus Version Update Result
AhnLab-V3 2007.6.20.1 06.20.2007 Win-Trojan/Dlena.31232.L
AntiVir 7.4.0.34 06.20.2007 TR/Proxy.Dlena.CQ.4
Avast 4.7.997.0 06.20.2007 no virus found
AVG 7.5.0.467 06.19.2007 Proxy.NJQ
BitDefender 7.2 06.20.2007 Worm.P2P.AB
CAT-QuickHeal 9.00 06.19.2007 TrojanProxy.Dlena.cq
ClamAV devel-20070416 06.20.2007 Trojan.Proxy-653
NOD32v2 2341 06.20.2007 Win32/TrojanProxy.Dlena
Prevx1 V2 06.20.2007 Generic.Malware
Sunbelt 2.2.907.0 06.09.2007 SpamTool.Win32.Agent.h
Symantec 10 06.20.2007 Trojan.Packed.9
TheHacker 6.1.6.136 06.20.2007 Trojan/Proxy.Dlena.cq
Webwasher-Gateway 6.0.1 06.20.2007 Trojan.Proxy.Dlena.CQ.4
-
i decided to ignore the dll infection and take help from u guys after my exams..
since it was not effecting my band width anyway.
but now i got another infection now..i clicked on a 2.56mb .exe file after scanning it with AVG n AVAST which detected nothing
then i saw that my mozilla firefox was running as process i knew i was infected right away..
but
then i could terminate the process and it would come right back in 30 seconds .
i managed to rename firefox.exe to 1firefox.exe...
but unfortunately there was some hidden process running which used 70% of the CPU and my comp became very slow.............
i had disabled access to regedit thru AVG-antispyware >>tools
so i figured that if i reboot the malware in my system would not be able to autostart itself ..
but it was able to do auto start now i have two firefox.exe running in process..
-
LOG before reboot
Logfile of HijackThis v1.99.1
Scan saved at 12:11:53 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\softwares\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\.exe (file missing)
-
log file after reboot
Logfile of HijackThis v1.99.1
Scan saved at 1:13:14 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\softwares\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\.exe (file missing)
-
i was using IEXPLORER when taking the HIJACKTHIS LOG....
do u guys want be to treminate the firefox.exe processes
and rename firefox.exe as 1firefox.exe
and take out another log and post it???? ;D
if i do the renaming my system starts to slow down since there is another invisinble process running
which is trying the start the firefox.exe process and eats up my CPU
-
You have a DNS redirection infection. See here:
http://forum.avast.com/index.php?topic=24967.msg206445#msg206445 (http://forum.avast.com/index.php?topic=24967.msg206445#msg206445)
These can be associated with a rootkit, so try some rootkit scans, or the anti-rootkit tool mentioned in the thread, if you see the signs of that rootkit.
rpcc.dll is bad.
Try the usual suspects. (Here follows cut and paste advice.)
Look for and remove rootkit (hidden malware) scans:
http://www.pandasoftware.com/products/antirootkit/]Panda Antirootkit (http://www.pandasoftware.com/products/antirootkit/)
http://www.f-secure.com/blacklight/]Blacklight (http://www.f-secure.com/blacklight/)
http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5]AVG Anti-Rootkit (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5)
Try a boot time scan with avast!? Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.
Try the usual free adware/spyware scanners?
AVG Anti-Spyware (http://www.ewido.net/en/product/) (Requires Win2k/XP)
a-Squared Free (http://www.emsisoft.com/en/software/free/)
Ad-Aware (http://www.download.com/3000-2144-10045910.html)
Spybot Search & Destroy (http://www.safer-networking.org/en/download/index.html)
Download, install and update all the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode (http://www.pchell.com/support/safemode.shtml) if possible.
-
so can i boot in safe mode and remove rpcc.dll infection........
by deleting the reg entries i mentioned above ?????
-
If the scanners I mentioned fail to remove rpcc.dll, try SUPERAntiSpyware: it has a write up and should fix it.
http://www.fileresearchcenter.com/R/RRPC.DLL-9305.html (http://www.fileresearchcenter.com/R/RRPC.DLL-9305.html)
I think Winlogon processes run even in SafeMode, so you will need a process injecting killing anti-malware program: AVG Anti-Spyware is another option, or a boot time scan with avast! if it detects this file.
You will also need to remove the DNS hijack entries with HijackThis! If they come back, it means a rootkit, so you will need to scan for rootkits, or maybe use FixWareout (see thread).
Check the 017 entries and if they are domains associated with a DNS hijack, fix them.
Good luck!
-
hi frank fsecure backlight so the work till some extent
it picked up a hidden process which rootkitreavler didi not pick up.
Hidden file: c:\WINDOWS\system32\cswxl.exe
i renamed it an and rescanned with avg anti root kit and fsecure again
nothing alse was found...
but the firefox.exe keeps running :(
i just suspended the prccess with process explorer..
and the virus total analysis for cswl.exe was suprisingly sad...
and as i expressed by inablity to send malware to avast thru the chest i am helpless
and even if i send the malware thru e-mail using 7z and password protected(even encrypt the name while zipping)
there has been no detections for the malware i sent
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 06.21.2007 could be a corrupted executable file
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 Downloader.Agent.KQC
BitDefender 7.2 06.21.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 06.21.2007 TrojanDownloader.Agent.uj
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.21.2007 Win32.Agent.uj
eTrust-Vet 30.8.3731 06.21.2007 Win32/Alureon!generic
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 Agent.BC!tr.spy
F-Prot 4.3.2.48 06.21.2007 W32/new-malware!Maximus
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Agent.uj
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Agent.uj
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Agent.uj
McAfee 5058 06.21.2007 Spy-Agent.bc
Microsoft 1.2607 06.21.2007 Trojan:Win32/Alureon.A
NOD32v2 2343 06.21.2007 a variant of Win32/Small.FB
Norman 5.80.02 06.21.2007 W32/DNSChanger.CJL
Panda 9.0.0.4 06.21.2007 Trj/Ruins.MB
Sophos 4.18.0 06.21.2007 Mal/Behav-027
Sunbelt 2.2.907.0 06.21.2007 Bloodhound.Packed.7
Symantec 10 06.21.2007 Downloader
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.21.2007 MalwareScope.Trojan.DnsChange.1
VirusBuster 4.3.23:9 06.21.2007
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.DNSChanger.Gen
gee i have accumulated a lot of malware which avast does not detect but i am helpless ???
-
@ sasin44
Don't forget to send samples to avast, it may help others.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
-
yes after 4 recent infections i will dropmyrights from now on..
and dravid can u help me with this not able to send samples to avast prob??
i downloaded thunderbird guessing that it is needed to send the samples but it says POP3 in not enabled for my gmail account
so got to look into it i hope i will be able to send samples to avast soon
and any suggessions on how to stop firefox.exe
-
and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html
and it does not generate any valid keys ;D
i guess 2.56 mb is packed with multiple malware one of them a root kit which fsecure detected and the other yet undetected one which has my firefox running.
some one pass it on to avast... godknows how many malware i am infected
with..
-
and dravid can u help me with this not able to send samples to avast prob??
i downloaded thunderbird guessing that it is needed to send the samples but it says POP3 in not enabled for my gmail account
Avast mail scanner doesn't support SSL (Secure Socket Layer) connections and does not scan Gmail as it. But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, ...) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Download here: http://www.stunnel.org/download/binaries.html
and any suggessions on how to stop firefox.exe
What do you mean?
-
the firefox.exe is run by the malware i am using Iexplorer ..
i have mozilla installed on my system but i did not cick on it.its autostarting and running by itself ..
and even the browser window is not showing ...........
and i am 100% sure that the link i gave u has a virus.. cos 45 seconds after i clicked the .exe file all the things happend :(
ok one ultimate test extract the file and try to generate a account for ur self ;D
jus kidding.. i am sure it is some kinda super advanced malware. by be the first of its kind ..
fsecure backlight light jus found the rootkit....component..
the firefox u see in my hijack log is mostly a dialer
and can i know which software u use to get snapshots of ur window ??
-
see as i suspected the exe file is rigged extract the zip file and scan it
and note none of the top anti virus softs detect it so if avast detects it ..it'll be great
and none of them detected
Hidden file: c:\WINDOWS\system32\cswxl.exe
in the orginal exe file it is mostly encrypted in the exe
STATUS: FINISHEDComplete scanning result of "RapidShare_Premium_Accounts_Gener", received in VirusTotal at 06.22.2007, 00:41:09 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 BDS/Bifrose.NU
Authentium 4.93.8 06.21.2007 no virus found
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 Trojan.Pakes-248
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.21.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.22.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.20.2007 no virus found
Ikarus T3.1.1.8 06.21.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 06.22.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.22.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.21.2007 VIPRE.Suspicious
Symantec 10 06.22.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.21.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Bifrose.NU
-
and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html
I checked "http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html" with Dr. Web Link Checker and it was clean. Maybe Dr.Web is wrong?
-
na ..i downloaded the zip file and extracted it and sent to virustotal for anaysis..
u can see the results ur self..and this was a link given in one of the forums so i guess it is delibrate
so i have to look up info on the bifrose torjan
and jus a reminder i am having multiple infections as the topic reads..
1.the rpcc.dll infection which ii knew was there for the pst few days
2.the rootkit infection which fsecure removed whic came from this exe
3.and the current dialer problem i am still having the process running as firefox.exe
-
and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html
and it does not generate any valid keys ;D
i guess 2.56 mb is packed with multiple malware one of them a root kit which fsecure detected and the other yet undetected one which has my firefox running.
some one pass it on to avast... godknows how many malware i am infected
with..
Is this the name of the file you uploaded 'RapidShare_Premium_Accounts_Generator.zip' which would seem very strange to me. I more appropriate name suspect-files.zip, etc would be more appropriate.
I also doubt 'RapidShare.com' was that the source of your malware, or did you mean here is the link where I have stored the malware.... ?
Sorry I'm totally confused now.
I though you were talking about the rpcc.dll and cswxl.exe that you did the virustotal/jotti checks on. If that were the case I would be happy to help, but downloading a 2.5MB file and then sending it by email, whilst on dial-up is going to take too long.
-
I don't know what you have been trying to do but you shouldn't need to download anything from rapidshare, just create a free account, when you first try to upload a file it will ask you to create an account. You don't have to create a premium account, click the Browse and select the file you want to upload (like VirusTotal), once selected, click Upload, at this point you will be asked to create an account.
So there should be absolutely no need to download anything from rapidshare. I didn't have an account but created one just for the creation steps and uploaded the first image you see below, http://rapidshare.com/files/38609337/b1134.gif (http://rapidshare.com/files/38609337/b1134.gif).
So the free account is setup and working and no download required.
-
well that was confusing i guess ;D
ok let me clear it for u ..
1.came to know i was infected when avg-anti spyware picked up a memory resident malware..which it could not remove..so i analysed hijack log my self and found out that the rpcc.dll was the cause
but i ignored it
2.i downloaded the zipped file from a link (rapidshare was the server on which the file was uploaded)
and after i clicked on the downloaded file
got infected with a rootkit which fsecure removed
and still have the dialer problem...
normal rapidshare accounts have download limitations .. ;)
i was trying to get a premier account without paying for it ;)
-
I really doubt you need a premium account, certainly not for this instance free would be fine.
#
Which DOWNLOAD RULES have to be followed? (Terms of use)
* Free users have to enter some letters before the downloads start in order to have the permission to use the infrastructure of RapidShare for free.
* Free users may only download a certain amount of Megabytes per hour. If this amount is exceeded, a message will appear.
* If a free user violates this terms of use, RapidShare has the right to permanently ban the free user from the RapidShare network.
* People writing programs with the goal to violate our terms of use will be made fully responsible for the financial losses/damages.
So the download restriction doesn't seem punitive, x MB per hour, so if you aren't trying to set-up some file sharing cartel you shouldn't have a problem for occasional use.
-
;D ;D
super good news i got rid of the rpcc.dll infection..
1>>booted in safe mode with command prompt and made sure rpcc.dll did not load..
2>>deleted the reg entries it created
3>> moved and renamed the file so that i can send it to awil for analysis
4>> booted in normal mode scanned with AVG anti spyware
and the system was clean;)
now i will post my new hi jack log so that i can remove the malware that is excuting firefox.exe
and coming to the download issue i chose to enter a few letters to start the download ;(
and about the i had a more illegal purpose(MAYBE to download m0v1es and tv shows which are more that the free limit :-X :-X) in mind so i want a premium account.. :-[ :-[
and dravid i asked about the software u use to take screenshots of ur windows
-
Logfile of HijackThis v1.99.1
Scan saved at 6:06:13 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE >>>>>>>>>>>>>>>>>>>>>>>>>>i am not using firefox the malware is using it >:( >:( >:(
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
F:\softwares\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmlnh.exe (file missing)
and can someone enlighten me why some files reported as missing????????????????????/ ???
-
malware poisonivy
infection time 11:39 pm IST
nailed at 8:30 am next day
3rd longest infection!!!!
ha ha ha ha ha ha aha ah ..
nailed that little bugger ..jus super :)
well here i was infected with poisonivy this little bugger is 1.14 mb
here is where i found it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0F4D3821-12C5-C8D5-0208-080506020803}
path c:\windows\system32\patch.exe
nailed em nailed em
-
STATUS: FINISHEDComplete scanning result of "Patch.exe", received in VirusTotal at 06.22.2007, 04:52:40 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 BDS/Bifrose.NU
Authentium 4.93.8 06.22.2007 no virus found
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.22.2007 Trojan.Pakes-248
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.21.2007 no virus found
eTrust-Vet 30.8.3733 06.22.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.22.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.22.2007 PoisonIvy.gen15
Ikarus T3.1.1.8 06.21.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 06.22.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2701 06.22.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 PoisonIvy.gen15
Panda 9.0.0.4 06.22.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.21.2007 VIPRE.Suspicious
Symantec 10 06.22.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.21.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Bifrose.NU
-
hi can any of u get ur mail id some one with broad band so i can mail the a whole bunch of malware to u [encrypted}and u can mail them to awil thru ur virus chest :)
and thanks for ur help dravid
u still havent told me what siftware u use to take screenshots ..its pretty good ;)
;D
and i hope i can send it to avast thru some one as soon as possible
-
You need to remove the DNS hijack entries. Submit the file for analysis here:
http://www.hijackthis.de/ (http://www.hijackthis.de/)
In the results, look at the 017 entries. Click on the domain to get more info.
Do a Google search to see if that domain/host is associated with a DNS hijack.
(The analysis highlights some as bad, some as questionable. They all seem to resolve to Inhoster in the Ukraine, which sets off alarm bells in my head, but check for yourself.)
If you haven't run all of the anti-rootkit scanners I mentioned, I suggest trying the other two, as they sometimes find different things. This goes for the anti-malware scanners as well.
Dr Web CureIT! is another good scanner to try.
And downloading cracks and keygens is like having unprotected sex with a Brazilian transvestite street hooker: you're going to get infected. ;)
-
gee frankie come on dont be so sour
:'(
different people have different computer ethics
AVG-antispy>>>>>>complete systemscan >>>>no threats found
avast boot time scan>>> 0 files infected
fsecure backight>>>>>clean
panda antirootkit >>>>>no rootkits found
AVG anti rootkit >>>>>>no root kits found
panda nano scan >>> error connecting to server
ad aware>>>>>>> clean
root kit reavler>>>>no rootkits found
;D
home free :P
-
gee frankie come on dont be so sour
Just a bit of advice, that's all. If you want to hand your computer over to the bad guys again, feel free.
At least use VirusTotal in future so you have the best chance of catching any malware. ;)
-
<snip>
and thanks for ur help dravid
u still havent told me what siftware u use to take screenshots ..its pretty good ;)
<snip>
I didn't notice you had asked but I use SnagIt 8.2.1 though it isn't free it is an excellent program, but there are some that may not be as flexible they are more than adequate for most peoples limited needs. But if you do a lot of screenshot work it is well worth the cost.
WinSnap screen capture - version 1 is FREE for personal - http://www.filehippo.com/download_winsnap/?2173 (http://www.filehippo.com/download_winsnap/?2173)
-
http://rapidshare.com/files/38715503/malware.7z
password: virus
some one download it from there and pass it on to awil.. all have exe files dont be stupid and click on one of them. there is a collection of malware with downloaders,torjans,dll injectors and root kits which avast does not detect yet ;)
and dravid thanks for that link ..
and do u use AVG anti spy..
u use the free version or the paid version ???
-
and dravid thanks for that link ..
Your welcome it is David not dravid ;D
-
Background
Since June of 2006, numerous users have reported experiencing similar issues with their browser which were later found attributable to a malicious trojan - specifically one based on Poison Ivy, an advanced "reverse connection", firewall-bypassing remote administration tool. The trojan creates a 'server' file on the affected system which alerts the trojan-maker when an affected system is online and which then gives access to, monitoring of, and even complete control of an infected user's system - giving him (among other things) the possibility to steal usernames & passwords, banking or credit card info, or any other private information that may have been stored, typed or viewed on-screen while the computer is infected. The default settings is for the malicious 'server' file to inject itself into the target system's Default Browser memory space and then run as a phony 'duplicate' browser process, which enables it to bypass detection by firewalls and routers. So while many Firefox users naturally assumed the problems they were experiencing were a 'Firefox problem', they would in fact have happened whichever browser was set as their system Default.
While there are other similar Remote-Admin apps used by trojan-makers, Poison Ivy quickly became popular for a number of reasons - it was new, it could be deployed without arousing much suspicion, it injected itself into the Default Browser process, and it had an attractive range of monitoring & set-up features. One such feature was the apparently unique 'Persistence' option - if enabled, the server file located on the infected system will restart itself even when the process is manually killed by the user - which means more 'up time' for the hacker - no waiting for the infected user to reboot their system or manually restart an affected application. Another handy feature is the 'Melt' function - which deletes the original infected file upon first run, so that a user cannot inspect it or uploaded to an anti-virus company's database.
Removal
Caution: While these steps should be safe to perform if followed correctly, you should never edit the registry if you don't feel confident or are unsure of what you are doing. If your Anti-virus software failed to remove the trojan, but you are not comfortable removing it yourself, please seek support from your security software provider, your pc manufacturer or a local repair shop - or anyone you trust with your machine.
If any of the above tell-tale signs were found but your AV/spyware scanner failed to quarantine/clean a trojan from your system, you can use the following steps to manually remove the trojan and its all related traces from your system:
1. Reboot into Windows Safe Mode (Reset the computer and press the F8 key repeatedly until Safe Mode prompt comes up prior to Windows startup)
2. Run Registry Editor (Start Button -> Run, then type "regedit" and click OK) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components and look for, back up, and remove any sub-key(s) that *only* have a StubPath entry. It's advisable to back up any registry keys before you remove them (just in case). Right-click on the appropriate Key(s) in the left-side pane and choose Export from the context-menu. Give the file a name and save it to your Desktop as a .reg file. ex: SuspiciousKey1.reg. If you later wish to undo the deletion of the Key, double-click the .reg file and say "Yes" to merge the Key back into your registry.
3. Delete the suspicious files you found during the 'confirming the presence of malware' step (above).
4. Reboot into Windows (normal mode).
5. Double-check everything to make sure it hasn't returned!
6. Please Note: As of April 6, 2007; Ivy will re-create the regestry key. Instead of deleting the random key, change the value of "stubpath" to something that is not a file path, such as: Disabled This will ensure the process does not start again, and should clear your task manager up.
Alert!
Worth mentioning again: If you were indeed affected by Poison Ivy or a similar trojan, be warned that a hacker may have had access to all of your user-names, passwords and other private information that was either stored on your computer or that you had typed during the period that you were infected. The Webroot SpySweeper webpage for the Poison Ivy trojan warns:
It is recommended that you change all of your passwords AFTER removing this [trojan]. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.
Prevention
* Be especially wary of downloading & installing executable files posted on messageboards or arriving via email. If you weren't expecting the file but it appears to be from someone you know, email them back and confirm that they sent it - viruses are known for using Address Books to spread.
* Update your virus scanner / spyware software regularly.
* Go into your firewall configuration's Program Control area and remove all references to Firefox so that any inadvertently-allowed Ports that may have previously been granted access privileges can be reset.
* Pay attention to firewall alerts. If you were not expecting a Port to be accessed, take the time to find out what it is, where it is, and why it is trying to connect to your computer. Perform a web-search on the IP address and on the Port number, and on the application filename that requested it. You are probably not the first to experience it and question it. Use that to your advantage - be safe rather than sorry.
* Be aware of what processes normally run on your system so that you can recognize any unusual activity. It's possible to add the Task Manager to your Startup Folder, and change its Properties to 'Run Minimized' so that it loads with Windows and hides in the tray where it's always quickly accessible.
http://kb.mozillazine.org/Firefox.exe_always_open (http://kb.mozillazine.org/Firefox.exe_always_open)
-
thanks for that tip so should i send the orginal file which i still have in the zipped format to avast ???
i sent only the extracted file...
and one mor thing i would like to clarify ..
when we use virus total .. there is option on the page that says not to give the uploaded sample for analysis....
so by not clicking that and uploading the file does it mean that the file will be passed on to all the anti virus companies ..and also avast????
-
does it mean that the file will be passed on to all the anti virus companies ..and also avast????
Yes.
-
does it mean that the file will be passed on to all the anti virus companies ..and also avast????
Yes.
Whilst yes, is the correct answer, but by all accounts this isn't very prompt and one of the team has mentioned that al lot of junk is also generated also. So I wouldn't rely on it I would say if possible to send it directly to avast, preferably from the chest.
We all await the planned update to the avast submission process, though they aren't forthcoming about a timetable for it.
-
yeah but i always press the donr distribute to anti-vir companies option cos.
why give free samples to companies like
bitdefender,norton,microsoft
who sell there products at elevated prices..
its like they are selling wat we give them for free..
and that the least of the concern considering the
buggy,non user-friendly,CPU gobbling ,crapy interface software they try to sell..
in fact i think they should be paying us to use that... ;D ;D
-
That action would also deny it to avast if avast didn't detect it. So you would have to find a way to send the samples as you have web based email.
-
yes i promptly send all my samples with the virustotal analysis and added comment..to avast but it takes weeks for them to put it in the data base... and some samples are not yet detected ..thats the matter of concern.....
-
Thats the matter of concern
Yeah... we complain a lot about detection... but never seems enough :'(
-
hi i totally forgot to mention another symptom when i was effected with that root kit that fsecure detected...
u people know that there is a system hidden folder called "system volume information" in each drive that stores the restore points.. when we untick the "show hidden system files" in the foder option box..it is seen and when u try to to click on it the access is denied..............
well when u are infected with that root kit. the folder becomes accesiable, imean u can go into the folder and explore it and stuff.
now its ok since i have removed the root kit.... i guess avast should give root kit more importance..when they are updating their detection
-
system volume information accessible+rootkit
guys i could not get u any direct links sorry my net is down.. so try giving these words in the google search box.. i guess it is a little known root kit.. and if any virus analyists are here in the forum i woul gladly pass a sample on to them no problem . cause root kits are more dangerous :P